1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

6/11/2021

0 Comments

Canada Post Becomes the Latest Victim of Supply Chain Attack

 
canada post supply chain attack

Canada Post Becomes the Latest Victim of Supply Chain Attack

Canada Post recently announced that it fell victim to a supply chain attack, resulting in a data breach relating to nearly a million receiving customers.

A supply chain attack, also known as a third-party attack, happens when an attacker infiltrates your organization’s system through an outside partner or supplier with access to your organization’s system.

In a press statement released last May 26th, Canada Post said that it was informed last May 19th by one of its suppliers, Commport Communications, that this supplier suffered a ransomware attack and that said ransomware attack compromised Canada Post customers.

Commport Communications’ electronic data interchange (EDI) solution is used by Canada Post to manage the shipping manifest data of large parcel business customers. Shipping manifests typically include sender and receiver contact information such as the names and addresses of the business sending the item and the customer receiving it.

“In all, the impacted shipping manifests for the 44 commercial customers contained information relating to just over 950 thousand receiving customers,” Canada Post said.

Canada Post added that the impacted shipping manifests were from July 2016 to March 2019 and that the vast majority (97%) contained the name and address of the receiving customer, while the remainder (3%) contained an email address and/or phone number.

“We are now working closely with Commport Communications and have engaged external cyber security experts to fully investigate and take action,” Canada Post said. “We are proactively informing the impacted business customers and providing the information and support necessary to help them determine their next steps. As well, the Office of the Privacy Commissioner has been notified.”

Lorenz Ransomware

According to Canada Post, in November 2020, Commport Communications notified Innovapost, Canada Post's IT subsidiary, of a potential ransomware issue. Canada Post said that Commport Communications advised at that time that there was no evidence to suggest any customer data had been compromised.

In December 2020, the group behind the ransomware called “Lorenz” posted on its data leak site that they had breached Commport Communications during a ransomware attack.

Lorenz ransomware is a relatively new actor in the ransomware field. Similar to other ransomware, Lorenz encrypts victims’ files and demands from victims ransom for the decryption tool that would unlock the encrypted files. Michael Gillespie of ID Ransomware told BleepingComputer that the Lorenz ransomware and older ransomware known as “ThunderCrypt” have the same encryptor. It isn’t clear whether Lorenz and ThunderCrypt are operated by the same group or if the newer ransomware purchased the source code of the older ransomware to create its own variant.

Similar to other ransomware, Lorenz ransomware steals victims’ files. And similar to other ransomware groups, the group behind Lorenz ransomware maintains a website in which password-protected archives of stolen files are published.

According to BleepingComputer, the group behind Lorenz ransomware is different from other ransomware groups as this group first sells the stolen data to other threat actors or possible competitors. In case no one buys the stolen data and the victim refuses to pay, the group behind Lorenz ransomware releases the password for the password-protected data leak archive in order to make the stolen data available to anyone who downloads the files.

Another peculiar characteristic of the group behind Lorenz ransomware is that the group also sells access to the victim's internal network along with the data. Access to the victim's internal network, for some threat actors, is more valuable than the data.

“Like other human-operated ransomware attacks, Lorenz will breach a network and spread laterally to other devices until they gain access to Windows domain administrator credentials,” BleepingComputer said. “While spreading throughout the system, they will harvest unencrypted files from victims' servers, which they upload to remote servers under their control.”

Cybersecurity Best Practices

Many human-operated ransomware attacks gain initial access to their victims’ networks by brute-forcing RDP (Remote Desktop Protocol) – a network communications protocol developed by Microsoft that allows users to remotely connect to another computer.

RDP servers that use weak username and password combination, without multi-factor authentication (MFA), without virtual private networks (VPNs), and without other security protections are easily accessed by attackers through brute force attack – the trial and error method of guessing the correct username and password combination. Threat actors have also been known to use RDP for lateral movement. With RDP, attackers can move laterally through the network without the need for credentials.

RDP servers can be protected from brute force attacks by using a strong username and password combination, MFA, and VPN. Attackers easily scan for internet-exposed RDP through the default RDP port: TCP 3389. Changing the RDP default RDP port essentially hides your organization’s RDP server from the attackers’ scanning efforts.

In the blog post "Human-operated ransomware attacks: A preventable disaster," Microsoft 365 Defender Threat Intelligence Team recommends practicing the principle of least privilege and maintaining credential hygiene. “Avoid the use of domain-wide, admin-level service accounts,” Microsoft 365 Defender Threat Intelligence Team said. “Enforce strong randomized, just-in-time local administrator passwords. Use tools like LAPS.”

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit